From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 15 Aug 2025 08:48:53 +0000 (+0300)
Subject: lib-oauth2: jwt - Allow nbf and iat to point 1 second into future
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f98e9678caf5be1025f47b80a41ba15f3ddf8cb7;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: jwt - Allow nbf and iat to point 1 second into future

The token could have just been generated with a server where time is
slightly into the future compared to this server.
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 6192283292..4688796751 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -499,11 +499,14 @@ oauth2_jwt_body_process(const struct oauth2_settings *set,
 	} else if (ret == 0 || iat == 0)
 		iat = t0;
 
-	if (nbf > t0) {
+	/* Token could have been just generated with a server where time is
+	   slightly newer than this server's time. Allow 1 second difference
+	   to avoid random failures due to token being into future. */
+	if (nbf > t0 + 1) {
 		*error_r = "Token is not valid yet";
 		return -1;
 	}
-	if (iat > t0) {
+	if (iat > t0 + 1) {
 		*error_r = "Token is issued in future";
 		return -1;
 	}